We already made a video about Petya ransomware and how to decrypt files encrypted by it. Though the method is working on a very specific circumstances which renders it not that useful.
Thanks to an independent researcher with the nickname Leo stone (@Leo_and_stone on Twitter) a new online decryption solution is available and it works like a charm. And here’s how to decrypt your files.
First, detach the infected hard disk from the infected PC (it’s usually the disc containing the OS) and then attach it to non-infected computer as a secondary drive. There is a very helpful tool created by Fabian Wosar that will extract sectors from the infected disk, needed for the decryption process. Download it from the link the description and bear in mind that even if your antivirus marks it as a virus, it’s not.
Now open the extractor and it should detect the infected drive. Click “Copy sector”, open the decryption website from link in the description and paste it in the Base 64 encoded 512 bytes verification data window. Then click “Copy Nonce” from the extractor tool and paste it in the base 64 encoded 8 bytes nonce window. Click “Submit” and the website should return a decrypting key. Copy that key somewhere safe and mount back the hard drive on the infected computer. Turn the power on and when you see the Petya ransomware boot up screen simply put that key in the appropriate field down below. The decryption process should start.
I hope this video was helpful and if you have any interesting topics you’d like to see on video please leave a comment and don’t forget to subscribe.